- Check if URL is pointing to the right service

sandy081 · sandy081 · commit 56291eda34a1 · 2022-01-27T12:21:36.000+01:00
- Set selective request and response headers
- Update the scheme on the client
diff --git a/src/vs/base/common/network.ts b/src/vs/base/common/network.ts
@@ -130,6 +130,10 @@ class RemoteAuthoritiesImpl {
 		this._connectionTokens[authority] = connectionToken;
 	}
 
+	getPreferredWebSchema(): 'http' | 'https' {
+		return this._preferredWebSchema;
+	}
+
 	rewrite(uri: URI): URI {
 		if (this._delegate) {
 			return this._delegate(uri);
diff --git a/src/vs/server/node/webClientServer.ts b/src/vs/server/node/webClientServer.ts
@@ -19,12 +19,13 @@ import { FileAccess, connectionTokenCookieName, connectionTokenQueryName } from
 import { generateUuid } from 'vs/base/common/uuid';
 import { IProductService } from 'vs/platform/product/common/productService';
 import { ServerConnectionToken, ServerConnectionTokenType } from 'vs/server/node/serverConnectionToken';
-import { IRequestService } from 'vs/platform/request/common/request';
+import { asText, IRequestService } from 'vs/platform/request/common/request';
 import { IHeaders } from 'vs/base/parts/request/common/request';
 import { CancellationToken } from 'vs/base/common/cancellation';
 import { URI } from 'vs/base/common/uri';
 import { streamToBuffer } from 'vs/base/common/buffer';
 import { IProductConfiguration } from 'vs/base/common/product';
+import { isString } from 'vs/base/common/types';
 
 const textMimeType = {
 	'.html': 'text/html',
@@ -139,34 +140,73 @@ export class WebClientServer {
 		return serveFile(this._logService, req, res, filePath, headers);
 	}
 
+	private _getResourceURLTemplateAuthority(uri: URI): string | undefined {
+		const index = uri.authority.indexOf('.');
+		return index !== -1 ? uri.authority.substring(index + 1) : undefined;
+	}
+
 	/**
 	 * Handle extension resources
 	 */
 	private async _handleWebExtensionResource(req: http.IncomingMessage, res: http.ServerResponse, parsedUrl: url.UrlWithParsedQuery): Promise<void> {
+		if (!this._productService.extensionsGallery?.resourceUrlTemplate) {
+			return serveError(req, res, 500, 'No extension gallery service configured.');
+		}
+
 		// Strip `/web-extension-resource/` from the path
 		const normalizedPathname = decodeURIComponent(parsedUrl.pathname!); // support paths that are uri-encoded (e.g. spaces => %20)
 		const path = normalize(normalizedPathname.substr('/web-extension-resource/'.length));
-
-		const url = URI.parse(path).with({
+		const uri = URI.parse(path).with({
 			scheme: this._productService.extensionsGallery?.resourceUrlTemplate ? URI.parse(this._productService.extensionsGallery.resourceUrlTemplate).scheme : 'https',
 			authority: path.substring(0, path.indexOf('/')),
 			path: path.substring(path.indexOf('/') + 1)
-		}).toString(true);
+		});
+
+		if (this._getResourceURLTemplateAuthority(URI.parse(this._productService.extensionsGallery.resourceUrlTemplate)) !== this._getResourceURLTemplateAuthority(uri)) {
+			return serveError(req, res, 403, 'Request Forbidden');
+		}
 
 		const headers: IHeaders = {};
-		for (const header of req.rawHeaders) {
-			if (req.headers[header]) {
-				headers[header] = req.headers[header]![0];
+		const seRequestHeader = (header: string) => {
+			const value = req.headers[header];
+			if (value && (isString(value) || value[0])) {
+				headers[header] = isString(value) ? value : value[0];
+			} else if (header !== header.toLowerCase()) {
+				seRequestHeader(header.toLowerCase());
 			}
-		}
+		};
+		seRequestHeader('X-Client-Name');
+		seRequestHeader('X-Client-Version');
+		seRequestHeader('X-Machine-Id');
+		seRequestHeader('X-Client-Commit');
 
 		const context = await this._requestService.request({
 			type: 'GET',
-			url,
+			url: uri.toString(true),
 			headers
 		}, CancellationToken.None);
 
-		res.writeHead(context.res.statusCode || 500, context.res.headers);
+		const status = context.res.statusCode || 500;
+		if (status !== 200) {
+			let text: string | null = null;
+			try {
+				text = await asText(context);
+			} catch (error) {/* Ignore */ }
+			return serveError(req, res, status, text || `Request failed with status ${status}`);
+		}
+
+		const responseHeaders: Record<string, string> = Object.create(null);
+		const seResponseHeader = (header: string) => {
+			const value = context.res.headers[header];
+			if (value) {
+				responseHeaders[header] = value;
+			} else if (header !== header.toLowerCase()) {
+				seResponseHeader(header.toLowerCase());
+			}
+		};
+		seResponseHeader('Cache-Control');
+		seResponseHeader('Content-Type');
+		res.writeHead(200, responseHeaders);
 		const buffer = await streamToBuffer(context.stream);
 		return res.end(buffer.buffer);
 	}
diff --git a/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts b/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
@@ -16,6 +16,9 @@ import { getServiceMachineId } from 'vs/platform/externalServices/common/service
 import { IStorageService } from 'vs/platform/storage/common/storage';
 import { TelemetryLevel } from 'vs/platform/telemetry/common/telemetry';
 import { getTelemetryLevel, supportsTelemetry } from 'vs/platform/telemetry/common/telemetryUtils';
+import { RemoteAuthorities } from 'vs/base/common/network';
+
+export const WEB_EXTENSION_RESOURCE_END_POINT = 'web-extension-resource';
 
 export const IExtensionResourceLoaderService = createDecorator<IExtensionResourceLoaderService>('extensionResourceLoaderService');
 
@@ -68,7 +71,8 @@ export abstract class AbstractExtensionResourceLoaderService implements IExtensi
 
 	public getExtensionGalleryResourceURL(galleryExtension: { publisher: string, name: string, version: string }, path?: string): URI | undefined {
 		if (this._extensionGalleryResourceUrlTemplate) {
-			return URI.parse(format2(this._extensionGalleryResourceUrlTemplate, { publisher: galleryExtension.publisher, name: galleryExtension.name, version: galleryExtension.version, path: 'extension' }));
+			const uri = URI.parse(format2(this._extensionGalleryResourceUrlTemplate, { publisher: galleryExtension.publisher, name: galleryExtension.name, version: galleryExtension.version, path: 'extension' }));
+			return this._isWebExtensionResourceEndPoint(uri) ? uri.with({ scheme: RemoteAuthorities.getPreferredWebSchema() }) : uri;
 		}
 		return undefined;
 	}
@@ -103,8 +107,15 @@ export abstract class AbstractExtensionResourceLoaderService implements IExtensi
 	}
 
 	private _getExtensionGalleryAuthority(uri: URI): string | undefined {
+		if (this._isWebExtensionResourceEndPoint(uri)) {
+			return uri.authority;
+		}
 		const index = uri.authority.indexOf('.');
 		return index !== -1 ? uri.authority.substring(index + 1) : undefined;
 	}
 
+	protected _isWebExtensionResourceEndPoint(uri: URI): boolean {
+		return uri.path.startsWith(`/${WEB_EXTENSION_RESOURCE_END_POINT}/`);
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,9 @@ import { getServiceMachineId } from 'vs/platform/externalServices/common/service`
`16`	`16`	`import { IStorageService } from 'vs/platform/storage/common/storage';`
`17`	`17`	`import { TelemetryLevel } from 'vs/platform/telemetry/common/telemetry';`
`18`	`18`	`import { getTelemetryLevel, supportsTelemetry } from 'vs/platform/telemetry/common/telemetryUtils';`
	`19`	`+import { RemoteAuthorities } from 'vs/base/common/network';`
	`20`	`+`
	`21`	`+export const WEB_EXTENSION_RESOURCE_END_POINT = 'web-extension-resource';`
`19`	`22`
`20`	`23`	`export const IExtensionResourceLoaderService = createDecorator<IExtensionResourceLoaderService>('extensionResourceLoaderService');`
`21`	`24`
`@@ -68,7 +71,8 @@ export abstract class AbstractExtensionResourceLoaderService implements IExtensi`
`68`	`71`
`69`	`72`	`public getExtensionGalleryResourceURL(galleryExtension: { publisher: string, name: string, version: string }, path?: string): URI \| undefined {`
`70`	`73`	`if (this._extensionGalleryResourceUrlTemplate) {`
`71`		`- return URI.parse(format2(this._extensionGalleryResourceUrlTemplate, { publisher: galleryExtension.publisher, name: galleryExtension.name, version: galleryExtension.version, path: 'extension' }));`
	`74`	`+ const uri = URI.parse(format2(this._extensionGalleryResourceUrlTemplate, { publisher: galleryExtension.publisher, name: galleryExtension.name, version: galleryExtension.version, path: 'extension' }));`
	`75`	`+ return this._isWebExtensionResourceEndPoint(uri) ? uri.with({ scheme: RemoteAuthorities.getPreferredWebSchema() }) : uri;`
`72`	`76`	`}`
`73`	`77`	`return undefined;`
`74`	`78`	`}`
`@@ -103,8 +107,15 @@ export abstract class AbstractExtensionResourceLoaderService implements IExtensi`
`103`	`107`	`}`
`104`	`108`
`105`	`109`	`private _getExtensionGalleryAuthority(uri: URI): string \| undefined {`
	`110`	`+ if (this._isWebExtensionResourceEndPoint(uri)) {`
	`111`	`+ return uri.authority;`
	`112`	`+ }`
`106`	`113`	`const index = uri.authority.indexOf('.');`
`107`	`114`	`return index !== -1 ? uri.authority.substring(index + 1) : undefined;`
`108`	`115`	`}`
`109`	`116`
	`117`	`+ protected _isWebExtensionResourceEndPoint(uri: URI): boolean {`
	`118`	+ return uri.path.startsWith(`/${WEB_EXTENSION_RESOURCE_END_POINT}/`);
	`119`	`+ }`
	`120`	`+`
`110`	`121`	`}`